Fraudster Targets Cryptocurrency Wallets with a Variety of Info Stealers

An online scammer targeting thousands of victims interested in cryptocurrencies runs a large and diverse business that includes phishing and fraud operations.

The crook tempts users with offers to make digital coins the easy way, to trick them into installing information-stealing malware and backdoors that provide access to sensitive data.

Fraudulent websites look professional

Security researchers from Doctor Web antivirus company identify the scammer with the aliases Investimer, Hyipblock, or Mmpower and they noticed that their main interest is in Dogecoin cryptocurrency.

Investimer's scams range from setting up websites that impersonate or pose as a legitimate exchange service to running fake online lotteries, renting inexistent cryptocurrency mining pools or promising digital coins for the simple job of browsing the web.

It is important to note that the fraudster put an effort into creating professional-looking websites. One of them has the stamp of trust from McAfee Secure and advertises a secure connection.

The one offering a mining pool comes complete with an FAQ section and an area showing the alleged developers of the service, who are real people involved in the cryptocurrency sector.

This way, if the potential victim has any suspicions about the legitimacy of the service and decides to check the developers, they will find that they are indeed connected in some way to digital coins.

The main purpose behind these efforts is to compromise computers and pilfer them of any cryptocurrency and money available in digital wallets present on the machine. Experts estimate that the number of victims Investimer defrauded this way is in excess of 10,000.

According to research, a "paid browsing" scam from the same author had more than 11,000 registered users. One fake lottery project of the scammer had attracted over 6,800 registrations.

Fraudster uses multiple information stealers

What all scams have in common is the request to download a malicious program that is supposed to help the potential victim do the required work that earns them digital coins.

The information stealers served this way are known as Eredel, AZOrult, Kpot, Kratos, N0F1L3, ACRUX, Predator the Thief, Arkei and Pony. This assortment is typically found on underground forums, for various prices.

For remote access and monitoring, Investimer uses the Spy-Agent backdoor, which is based on Team Viewer, along with the DarkVNC and HVNC backdoors that use the VNC protocol.

The researchers discovered that scammer's preferred malware dropper is Smoke Loader, and he uses multiple Russian hosting providers (jino.ru, marosnet.ru, and hostlife.net) to run the command and control (C2) servers behind the Cloudflare content delivery network.

Normal phishing is also an alternative

Although these projects are more elaborate, the scammer also resorted to simple phishing schemes to trick users.

"They have created a website that offers a reward for bringing new users to the Ethereum payment system, but actually collects the information users enter during registration and transfers it to the attacker," Doctor Web reported today.

Judging by the diversity of this illegal business, it is easy to conclude that Investimer is not new at this. The scammer "reportedly has been involved in other online scams as well, including online games based on the financial pyramid principle," the experts say.

In contrast to the large number of operations discovered, the financial damage seems quite low, with at least $24,000 in profit.

Ionut Ilascu is freelancing as a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia.